I’ve explained in my last tutorial that how you can install snort on Ubuntu, if you have not installed it yet you can click here. In my article where I explained how to install snort, I mentioned that snort have two running modes, today we will see how we can do packet sniffing using snort.

What is packet sniffing?

In packet sniffing all you do is look at all the packets passing through your interface, incoming as well as outgoing packets.

Pre-requisites for todays experiment

Ubuntu Desktop 16.04.1, if you have older versions you can use that as well. (I’ve tested it on 16.04.1)

Two Virtual Network interface cards on your Ubuntu Virtual Machine

Install virtual machine

You need to create a virtual machine in VMware player and use ubuntu as an operating system, but their are few things you need to take care of before finishing your VM Setup. If you don’t know how to setup a virtual machine you can read an article here.

1

sudo/usr/lib/vmware/bin/vmware-netcfg

Run this command on your host node, it will open VMware virtual network editor, something like this :

Two packets are passed through interface, one is ECHO packet from machine where you initiated ping, and other is ECHO REPLY message from snort machine. You have successfully captured your first two packets on interface ‘ens34’.

Step 3: Perform nmap port scan on your snort machine

nmap is an easy tool to scan any machine for open ports, we will perform nmap scan on our snort machine and see how snort have captured the nmap packets.

Why packet sniffing is beneficial?

You might be thinking why we trying to sniff packets when their is no actual use of it, many people think that packet sniffing is not very important part of snort, but I guess you can use packet sniffing to monitor your network.

If some one have performed nmap scan on your machine then you can easily track the packets, to make sure your open ports are not visible, and or block the IP trying to scan for open ports.